Re: upd(4) page fault since 7.0

Tue, 26 Oct 2021 00:51:22 -0700 

Le 24/10/2021 à 21:45, Anton Lindqvist a écrit :

On Sun, Oct 24, 2021 at 03:03:01PM +0200, Damien Couderc wrote:

Hi,
I got a page fault with upd(4) since 7.0.

The problem began with the last revision of upd.c (1.30):

===================================================================
RCS file: /cvs/src/sys/dev/usb/upd.c,v
retrieving revision 1.29
retrieving revision 1.30
diff -u -r1.29 -r1.30
--- src/sys/dev/usb/upd.c       2021/03/08 14:35:57     1.29
+++ src/sys/dev/usb/upd.c       2021/08/06 17:46:45     1.30
@@ -1,4 +1,4 @@
-/*     $OpenBSD: upd.c,v 1.29 2021/03/08 14:35:57 jcs Exp $ */
+/*     $OpenBSD: upd.c,v 1.30 2021/08/06 17:46:45 abieber Exp $ */

  /*
   * Copyright (c) 2015 David Higgs <hig...@gmail.com>
@@ -167,7 +167,7 @@
                if (upd_lookup_usage_entry(desc, size,
                    upd_usage_roots + i, &item)) {
                        ret = UMATCH_VENDOR_PRODUCT;
-                       break;
+                       uha->claimed[item.report_ID] = 1;
                }

        return (ret);

===================================================================

The uha.claimed array is allocated using uha.nreports as its size while
upd_match() is looping through the number of items of upd_usage_roots.

In my case uha.nreports is equal to zero so uha.claimed is null, hence
setting uha->claimed[n] is failing.

As I'm not familiar with the HID code I did not yet understood the
relation between upd_usage_roots and the claimed array but as we're
talking about UPS attached computers I though the issue would sensible
enough to make a quick reporting.

You'll find a dmesg with options UPD_DEBUG and UHIDEV_DEBUG set and the
following patch applied to circumvent the page fault and provide some debug:

Could you try the following diff, looks like an unsigned wrap around.

Index: dev/usb/uhidev.h
===================================================================
RCS file: /cvs/src/sys/dev/usb/uhidev.h,v
retrieving revision 1.32
diff -u -p -r1.32 uhidev.h
--- dev/usb/uhidev.h    12 Sep 2021 06:58:08 -0000      1.32
+++ dev/usb/uhidev.h    24 Oct 2021 19:44:52 -0000
@@ -82,7 +82,7 @@ struct uhidev_attach_arg {
        struct uhidev_softc     *parent;
        uint8_t                  reportid;
  #define       UHIDEV_CLAIM_MULTIPLE_REPORTID  255
-       uint8_t                  nreports;
+       u_int                    nreports;
        uint8_t                 *claimed;
  };

Hello Anton,
I made a quick test and nreports is now set with 256 but I still get the page fault. 

I'll check the details ASAP.


Thank you,

Damien

Reply via email to